Problems with "dictionary based" passwords

Hi, this is a repeat of an old thread that was closed but so far as I can tell never resolved.

I've tried to change my password to something like 387chesterfield$... but cpanel tells me that this isn't possible because it is based on a dictionary word. Well, I can't find chesterfield in the dictionary, or any of the other names or made-up words that I use for the password... but previously, when I went into WHM via the root/superuser, I was able to change the password to anything I wanted for a web account.

What's going on, and why can't I override the no dictionary word restriction?

Can you please explain how to configure cpanel (after all, I'm the only one going in to change passwords for any user account, so I should be able to choose any password I like - and interestingly, it will let me change the password to "12" telling me that it is very weak, but it won't let me choose a more complex password based on some memorable word or name).

Alternatively, how can I issue a "password" shell command directly, or via the root user? The WHM interface is different from before, and I can't find where to change passwords for website accounts.

Staff Member

The message regarding the use of a dictionary word is an OS-level restriction, and the error is provided by the backend/OS (cPanel just displays the failure reason for you). In other words, your OS is not happy with the complexity of the password so it refused to use it.

This is controlled here on CentOS:

Code:

/etc/pam.d/system-auth

While you are welcome to manually edit the above file at your own risk, we can't support trying to subvert the default security settings of your OS to provide a less secure experience. Instead, we can only advise that you adjust the password strength configuration found at:

we can't support trying to subvert the default security settings of your OS to provide a less secure experience.

Click to expand...

This is absolutely silly. "387chesterfield$" is MUCH more secure than "12". This comic explains the situation quite well. Reminding your users that the password they want is insecure isn't a problem, but restricting their ability to use passwords that THEY know are secure is outright foolish. The password "correcthorsebatterystaple" is based on FOUR dictionary words, but would take FOREVER to brute-force, while "e$2*06iO" could be guessed relatively quickly.
Thanks to all the restrictions, passwords have gotten easier and easier to guess as more and more passwords get blacklisted. "Password must contain at least 7 characters consisting of a lower and uppercase letter, and a number" may sound like it keeps out insecure passwords, but when a hacker reads that, they see "When attacking this site, you don't have to bother trying passwords like 75jih86kh, p8Ui&, or YYOIJ7I9".